[33248] in Kerberos
Re: Help: Why SSL must be enabled when using mod_auth_kerb in httpd?
daemon@ATHENA.MIT.EDU (Lee Eric)
Sat Mar 5 10:46:54 2011
MIME-Version: 1.0
In-Reply-To: <1299339714.2397.21.camel@t410>
Date: Sat, 5 Mar 2011 23:46:50 +0800
Message-ID: <AANLkTin31a1g6hvHMg_CP9Htbiiwd5nMjktNr6AYF5p2@mail.gmail.com>
From: Lee Eric <openlinuxsource@gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Thanks mate. So it looks like there's no obvious reason to use SSL
when using Kerberos. But I saw the sample configuration of
mod_auth_kerb module that indicates "SSLRequireSSL" should be set up
by using this module. So I want to know what part SSL protects indeed.
Thanks very much.
Eric
On Sat, Mar 5, 2011 at 11:41 PM, Greg Hudson <ghudson@mit.edu> wrote:
> On Sat, 2011-03-05 at 04:17 -0500, Lee Eric wrote:
>> Hi,
>>
>> I'm just thinking why SSL must be enabled when using mod_auth_kerb in
>> httpd. Because password will be transferred in encryption by Kerberos.
>> So is SSL used to proect the tickets or anything else?
>
> I'm not sure if it must be enabled, but there are reasons why it might
> be a good idea. The HTTP authentication protocol used by mod_auth_kerb
> does not protect the data stream, so without a secure channel (i.e.
> SSL), there is nothing connecting the authentication to the request or
> response.
>
> Also, just to nitpick, but Kerberos authentication doesn't transport
> your password at all, even when you get initial tickets.
>
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
